No-overhead Capture. Automatic Path routing. Capture tool output. No cap.
NOCAP is a zero-dependency command capture wrapper built for security operators.
Drop it in front of any tool and it handles the rest: smart file naming, engagement
directory routing, auto subdir routing, collision avoidance, live TTY output,
completion status with elapsed time, and interactive capture browsing.
No more | tee recon/nmap-sCV.txt one-liners.
# $TARGET set or op_* tmux session active → routes to /workspace/<target>/
export TARGET=10.10.10.5
cap nmap -sCV 10.10.10.5
# → /workspace/10.10.10.5/nmap_sCV.txt
# No engagement context → writes to current directory
cap nmap -sCV 10.10.10.5
# → ./nmap_sCV.txtpipx install git+https://github.com/BLTSEC/NOCAP.gitOr directly from source:
git clone https://github.com/BLTSEC/nocap
pipx install ./nocapcap [options] [subdir] <command> [args...]
cap grab [options] [command...]
cap last | cat | tail | open | rm | summary | render
cap ls [subdir]
cap update
| Flag | Description |
|---|---|
-n, --note <label> |
Append a custom label to the output filename |
-s, --subdir <name> |
Write to a custom subdir (created if needed) |
-a, --auto |
Auto-route to subdir based on tool name (opt-in) |
-D, --dry-run |
Show where output would go without running |
| Command | Description |
|---|---|
cap last |
Print the path of the last captured file |
cap cat |
Dump last capture to stdout with clean rendered output |
cap tail |
Follow last capture from the start — useful while a scan runs in another pane |
cap open |
Open last capture in $EDITOR, or rendered through less |
cap rm |
Delete the last captured file |
cap summary [keyword] |
Compact table of all captures, or search across them by keyword |
cap render [file] |
Render a capture (or the last one) through the VT100 cleaner — strips ANSI, progress bars, cursor noise |
cap ls [subdir] |
Browse captures interactively (fzf) or list them. Accepts any subdir name. |
cap grab [cmd...] |
Retroactively capture the last command's output from tmux scrollback |
cap update |
Update nocap to the latest version via pipx |
| Variable | Description |
|---|---|
NOCAP_AUTO=1 |
Enable --auto subdir routing by default without the flag |
NOCAP_WORKSPACE=path |
Override the base workspace directory (default: /workspace) |
# Basic capture — output goes to cwd by default
cap nmap -sCV 10.10.10.5
# Explicit subdir
cap recon gobuster dir -u http://10.10.10.5 -w /wordlist.txt
cap loot hashcat -m 1000 hashes.txt /wordlist.txt
# Custom subdir (created automatically if it doesn't exist)
cap -s pivoting chisel client 10.10.14.5:8080 R:socks
cap -s ad-enum bloodhound-python -u user -p pass -d corp.local
# Add a note to distinguish runs with the same flags
cap -n after-creds nmap -sCV 10.10.10.5
cap -n authenticated feroxbuster -u http://10.10.10.5 -x php,html
# Combined short flags
cap -an after-creds nmap -sCV 10.10.10.5 # -a and -n together
cap -aD nmap -sCV 10.10.10.5 # dry-run with auto routing
# Auto-routing: infers subdir from the tool name
cap --auto nmap -sCV 10.10.10.5 # → recon/nmap_sCV.txt
cap --auto hashcat -m 1000 h.txt wl # → loot/hashcat_m_1000.txt
cap --auto msfconsole # → exploitation/msfconsole.txt
# NOCAP_AUTO=1: make auto-routing the default, no flag needed
export NOCAP_AUTO=1
cap nmap -sCV 10.10.10.5 # → recon/ automatically
# Preview routing without running
cap -D feroxbuster -u http://10.10.10.5
# Retroactive capture — forgot to cap? grab it from tmux scrollback
cap grab # auto-detect last command
cap grab nmap -sCV 10.10.10.5 # explicit command
cap grab -n initial -s recon # with note + subdir
# Work with the last captured file
cap last # print the path
cap cat # dump to stdout
cap tail # follow live — watch a scan from another pane
cap open # open in $EDITOR / bat / less
cap rm # delete it
grep -i password $(cap last)
cp $(cap last) ~/report/evidence.txt
# Engagement overview
cap summary # timestamp, lines, size, path for all captures
cap summary passwords # find credentials across all captures
cap summary hashes # find crackable hashes
cap summary ports # open ports from all nmap/scan output
cap summary admin # literal keyword search
cap ls # interactive fzf browser
cap ls recon # scoped to recon/
cap ls pivoting # any custom subdir works
# Update to latest
cap updateNOCAP resolves your engagement directory automatically — no configuration needed.
| Priority | Condition | Output location |
|---|---|---|
| 1 | $TARGET env var is set |
$NOCAP_WORKSPACE/$TARGET/<subdir>/ |
| 2 | Active tmux session named op_* |
$NOCAP_WORKSPACE/<target>/<subdir>/ |
| 3 | Fallback | ./<subdir>/ (current directory) |
The workspace root defaults to /workspace and can be overridden:
export NOCAP_WORKSPACE=/ops
export TARGET=10.10.10.5
cap nmap -sCV 10.10.10.5
# → /ops/10.10.10.5/nmap_sCV.txtSet TARGET manually for non-tmux workflows:
export TARGET=10.10.10.5
cap nmap -sCV 10.10.10.5
# → /workspace/10.10.10.5/nmap_sCV.txtWith --auto / -a, NOCAP infers the engagement subdir from the tool name.
Default behavior (without the flag) writes to cwd — no routing is applied.
Set NOCAP_AUTO=1 to make auto-routing the default for every capture without
typing the flag:
export NOCAP_AUTO=1
cap nmap -sCV 10.10.10.5 # → recon/ automatically
cap hashcat -m 1000 h.txt wl # → loot/ automaticallyAdd it to your shell profile (.zshrc, .bashrc) or Exegol's shell init to
make it permanent.
cap --auto nmap -sCV 10.10.10.5
# → /workspace/10.10.10.5/recon/nmap_sCV.txt
cap --auto hashcat -m 1000 hashes.txt /wl.txt
# → /workspace/10.10.10.5/loot/hashcat_m_1000.txtAn explicit subdir always takes precedence over --auto:
cap -s notes nmap -sCV 10.10.10.5
# → /workspace/10.10.10.5/notes/nmap_sCV.txtTool→subdir map:
| Subdir | Tools |
|---|---|
recon |
Network: nmap, rustscan, masscan, autorecon, naabu, udpx, netdiscover, fping, arp-scan, zmap, unicornscan |
| Web fuzzing: gobuster, feroxbuster, ffuf, wfuzz, dirsearch, dirb, arjun, kr | |
| Web scanning: whatweb, nikto, nuclei, httpx, httprobe, http, curl, wget, hakrawler, katana, gospider, cariddi, gau, bbot, uncover, patator, ssh-audit, searchsploit | |
| Secrets/git: trufflehog, gitleaks, git-dumper | |
| CMS: wpscan, wpprobe, joomscan, droopescan, drupwn, cmsmap, moodlescan | |
| SSL/TLS: testssl, sslscan, wafw00f, cors_scan | |
| DNS/Subdomain: dnsx, amass, subfinder, sublist3r, findomain, assetfinder, massdns, shuffledns, fierce, dnsenum, dnsrecon, dnschef, waybackurls, dig, whois | |
| SMB/LDAP/AD: enum4linux, enum4linux-ng, ldapsearch, smbclient, smbmap, smbclientng, rpcclient, windapsearch, ldeep, pywerview, godap, manspider, msprobe, adidnsdump, daclsearch, nbtscan, smtp-user-enum, pysnaffler | |
| SNMP/NFS: snmpwalk, onesixtyone, showmount | |
| Kerberos/AD collection: kerbrute, netexec, crackmapexec, sprayhound, smartbrute, ldapdomaindump, bloodhound-python, rusthound, rusthound-ce | |
| OSINT: theHarvester, recon-ng, spiderfoot, sherlock, maigret, holehe, ghunt, phoneinfoga, censys, GitFive, photon, finalrecon, maltego | |
| Cloud: scout, cloudsplaining, prowler, cloudmapper.py | |
| WiFi: bettercap, hcxdumptool, airodump-ng, kismet | |
screenshots |
eyewitness, EyeWitness, gowitness, aquatone, webscreenshot |
loot |
Cracking: hashcat, john, hydra, medusa, legba, fcrackzip, pdfcrack, nth, haiti, pkcrack, ncrack, aircrack-ng, hcxpcapngtool |
| Forensics/stego: volatility, volatility3, binwalk, foremost, steghide, stegseek, exiftool, zsteg | |
| Dumping: pypykatz, lsassy, donpapi, gosecretsdump, dploot, masky, crackhound, keytabextract, PCredz, firefox_decrypt | |
exploitation |
C2/Frameworks: msfconsole, msfvenom, msfdb, sliver-server, sliver-client, ps-empire, havoc, Villain.py, pwncat-vl, pwncat-cs, routersploit |
| Tunneling: ligolo-ng, chisel, socat | |
| Web: sqlmap, weevely, xsstrike, nosqlmap, gopherus, ssrfmap, ysoserial, phpggc, XXEinjector, php_filter_chain_generator, jdwp-shellifier, byp4xx, h2csmuggler, smuggler, tomcatWarDeployer, clusterd, token-exploiter, dalfox, commix, tplmap, ghauri, jwt_tool, swaks | |
| AD/Windows: evil-winrm, evil-winrm-py, mitm6, ntlmrelayx.py, krbrelayx.py, aclpwn, coercer, petitpotam.py, dfscoerce.py, shadowcoerce.py, pywhisker, targetedKerberoast.py, bloodyAD, autobloody, gpoddity, goexec, certipy, noPac.py, pre2k, passthecert.py, sccmhunter.py, pxethief, remotemonologue.py | |
| Impacket: psexec.py, wmiexec.py, smbexec.py, atexec.py, dcomexec.py, secretsdump.py, GetNPUsers.py, GetUserSPNs.py |
All last-file subcommands operate on the most recently captured file.
cap last # print the path
cap cat # dump to stdout — rendered clean (no ANSI/progress noise)
cap tail # follow from the start — watch a running scan
cap open # open in $EDITOR, or rendered through less
cap rm # delete the capture
cap render # render last capture through VT100 cleaner
cap render /path/to/file # render any capture file
# Compose last with other tools
grep -i password $(cap last)
cp $(cap last) ~/report/evidence.txtcap cat and cap open automatically render captures through the built-in VT100 cleaner,
stripping ANSI escape codes, progress bar redraws, and cursor noise to produce clean readable text.
cap open picks the best available viewer in order: $EDITOR (raw file) → less (rendered).
Without a keyword, prints a compact table of all captures — timestamp, line count, size, and relative path:
2026-02-23 14:32 1234 lines 45.2K recon/nmap_sCV.txt
2026-02-23 14:28 892 lines 28.1K recon/gobuster_dir.txt
2026-02-23 13:55 310 lines 9.8K loot/hashcat_m_1000.txt
With a keyword, searches across all captures and prints matching lines grouped by file:
cap summary passwords # credential patterns (netexec, hydra, config files)
cap summary hashes # NTLM, MD5, SHA1, SHA256 patterns
cap summary users # username/login/account patterns
cap summary emails # email addresses
cap summary ports # open port lines (nmap: 80/tcp open)
cap summary vulns # CVEs, vulnerable, exploitable, severity: critical/high
cap summary urls # HTTP/HTTPS URLs
cap summary admin # literal keyword — any term
cap summary "HTB{.*}" # regex — match HTB flags
cap summary "FLAG{[^}]+}" # regex — generic CTF flag format
cap summary "\d+\.\d+\.\d+\.\d+" # regex — all IPs across every captureThe keyword is first matched against named patterns, then tried as a regex, then falls back to a literal case-insensitive search if the regex is invalid.
Output groups matches by file with the filename highlighted:
recon/netexec_smb.txt
[+] CORP\administrator:Password123! (Pwn3d!)
loot/hashcat_m_1000.txt
admin:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
recon/nmap_sCV.txt
80/tcp open http Apache httpd 2.4.38
443/tcp open https Apache httpd 2.4.38
Lists all captures for the current engagement. Uses fzf with rendered preview if available, falls back to a compact table (relative paths, human-readable sizes, line counts). Preview renders captures through the VT100 cleaner for readable output.
The subdir argument accepts any directory name — not just the built-in ones:
cap ls # all files under current engagement dir, newest first
cap ls recon # scoped to recon/ subdir
cap ls pivoting # any custom subdir worksRetroactive capture — for when you forget to cap a command. If you're in tmux, cap grab
pulls the last command's output from the pane scrollback and writes a standard cap file.
# Auto-detect last command from shell history
cap grab
# Explicit command — searches scrollback for this specific output
cap grab nmap -sCV 10.10.10.5
# Works with all standard flags
cap grab -n initial # add a note
cap grab -s recon # route to subdir
cap grab -a # auto-route by tool name
cap grab -n after-creds nmap -sCV 10.10.10.5 # explicit command + noteHow it works:
- Captures the full tmux pane scrollback (
tmux capture-pane) - Detects the last command from shell history (zsh and bash), or uses the command you provide
- Extracts the output between the command line and the
cap grabprompt - Writes a file with the same
Command: / Date: / ---header as a live capture
Requires tmux — that's where the scrollback buffer lives. Outside tmux, you'll get a
clear error with a tip to use cap <command> next time.
cap updateRe-installs nocap from the latest commit on GitHub using pipx install --force.
Requires pipx (the same tool used to install nocap).
NOCAP derives a clean filename from your command. IPs (v4 and v6), absolute paths, wordlists, and raw numeric values are stripped automatically. Meaningful flags and subcommands become the filename, and safe target context is added when it helps — usually the first label from a hostname or URL.
Full FQDNs and full URLs are not dumped into the filename. NOCAP keeps them
concise by using short target hints such as target, portal, or
castelblack_winterfell.
| Command | Output file |
|---|---|
cap nmap -sCV 10.10.10.5 |
nmap_sCV.txt |
cap nmap -sCV target.htb |
nmap_sCV_target.txt |
cap nmap -p- --min-rate 5000 10.10.10.5 |
nmap_p-_min-rate.txt |
cap nmap -Pn -sT -sV castelblack.north.sevenkingdoms.local winterfell.north.sevenkingdoms.local |
nmap_Pn_sT_sV_castelblack_winterfell.txt |
cap gobuster dir -u https://portal.example.local/login -w /wl.txt |
gobuster_dir_portal.txt |
cap netexec smb 10.10.10.5 -u admin -p pass |
netexec_smb.txt |
cap feroxbuster -u http://10.10.10.5 -x php,html |
feroxbuster_x_phphtml.txt |
cap loot hashcat -m 1000 hashes.txt /wl.txt |
loot/hashcat_m.txt |
cap -n after-creds nmap -sCV target.htb |
nmap_sCV_target_after-creds.txt |
Collisions are resolved automatically and atomically (race-safe):
nmap_sCV.txt → nmap_sCV_2.txt → nmap_sCV_3.txt
IPv6 addresses are stripped just like IPv4:
cap nmap -sCV dead:beef::1
# → nmap_sCV.txtEvery output file starts with a structured header:
Command: nmap -sCV 10.10.10.5
Date: Fri Feb 20 14:30:52 EST 2026
---
Starting Nmap 7.94 ...
NOCAP runs commands under a PTY so tools behave exactly as they would in a normal terminal — colours, progress bars, and interactive prompts all work.
Shell functions and aliases (defined in .zshrc, .bashrc, etc.) are supported
automatically — if the command isn't found as a binary on $PATH, NOCAP wraps
the invocation in $SHELL -ic "..." so your shell profile is sourced.
When a command finishes, NOCAP prints a one-line summary with exit status and elapsed time:
[✓] nmap_sCV.txt (12.3s)
[✗ 1] feroxbuster_x_php.txt (0.4s)
A bell (\a) also fires on completion so you can task-switch in tmux and get
notified when a long scan finishes.
Standard library only. Python 3.9+. No third-party packages required. Optional enhancements if present on your PATH:
| Tool | Used by |
|---|---|
| fzf | cap ls — interactive file browser with rendered preview |
| less | cap open — pager for rendered output |
NOCAP integrates with the standard engagement layout:
/workspace/<target>/
├── recon/ ← scanning, enumeration, OSINT output
├── exploitation/ ← C2 sessions, payloads, AD attacks
├── loot/ ← cracked hashes, dumped credentials
├── screenshots/ ← eyewitness, gowitness output
└── notes/ ← operator notes
git clone https://github.com/BLTSEC/nocap
cd nocap
pipx install -e ".[dev]" # installs nocap + pytest in editable mode
# or just run tests without installing:
PYTHONPATH=src pytest tests/ -vTests cover filename generation (tests/test_filename.py), argument
parsing (tests/test_parsing.py), and grab helpers (tests/test_grab.py).
Built for operators who move fast and document everything.